puppet-os-hardening

• Compability for Puppet version 8

Changes in v2.3.3

• fix CI: use docker driver for transfering files (#290)
• Disable new check 'os-14' for automated testing (#291)
• Restore ability to override /etc/shadow file permissions and group owner (#293)
• move to CentOS 8 Stream from quay.io (#295)
• fix(pam_passwdqc): remove accidental paste from pam_passwdqc.erb (#299)

Changelog generator still broken, sorry

Really new in v2.3.2

• Backwards incompatible breaking change in PR279 #284
• Backwards incompatible breaking change in PR279 (#284) #285 (earthgecko)

Changelog generator problem - older changes included in current delta

Implemented enhancements:

• Add support for Puppet 7 #267
• allow defining parameters in hiera #248
• Add integration tests for current platforms #172
• Add Puppet 7 tests + new versions #282 (mcgege)
• Remove Puppet v5 support + tests #281 (mcgege)
• update to PDK template 2.1.1 #278 (mcgege)
• Add documentation on hiera usage (see #248) #274 (mcgege)
• Update to PDK 2.0 template #273 (mcgege)
• Fix: Dead links result in an error #271 #272 (LooOOooM)
• move to github actions #264 (schurzi)
• fixed alignment of properties and indentation #263 (hp197)
• Added manage_system_users option and formatted properties #262 (hp197)
• use new syntax for stub in rspec #259 (schurzi)
• Fix + switch for arp_ignore #256 (mcgege)
• Move from inspec to cinc #238 (mcgege)

Fixed bugs:

• Activate manage_cron_permissions to satisfy cron tests #269 (mcgege)
• Solve bundle problem on automated tests #268 (mcgege)
• add source for chef-utils gem (bundle confusion) #265 (mcgege)
• Revert "secure_redirects should be set to 1 (default)" #260 (mcgege)
• Switch to Inspec 4 to break bundler loop #257 (mcgege)

Closed issues:

• New warning - max_files - exceeds the default soft limit 1000 #279
• enable_log_martians to false are logged #277
• Dead links result in an error #271
• Duplicate declaration #270
• Using relative file modes can result very wrong in some cases #222

Merged pull requests:

• Add ignore_max_files_warnings (#279) #280 (earthgecko)
• Disable sysctl configuration #253 (Tahitibob35)

Implemented enhancements:

• Use CINC (instead of InSpec 4) #212
• move to github actions #264 (schurzi)
• fixed alignment of properties and indentation #263 (hp197)
• Added manage_system_users option and formatted properties #262 (hp197)
• use new syntax for stub in rspec #259 (schurzi)
• Move from inspec to cinc #238 (mcgege)

Fixed bugs:

• Fix Travis tests #255
• add source for chef-utils gem (bundle confusion) #265 (mcgege)

Fixed bugs:

• Revert "secure_redirects should be set to 1 (default)" #260 (mcgege)

Closed issues:

• Default $arp_restricted=true breaks Calico overlay network #254

Implemented enhancements:

• Fix + switch for arp_ignore #256 (mcgege)

Fixed bugs:

• Switch to Inspec 4 to break bundler loop #257 (mcgege)

Closed issues:

• os_hardening failing on centos7 #241

Merged pull requests:

• Disable sysctl configuration #253 (Tahitibob35)

Implemented enhancements:

• More secure kernel settings #250 (mcgege)
• Set SHA_CRYPT_*_ROUNDS (Telekom security req linux-10) #249 (mcgege)
• Update to PDK 1.18.1 #242 (mcgege)

Merged pull requests:

• Adapt Travis to puppetlabs standard #247 (mcgege)
• Small fixes #243 (mcgege)

Implemented enhancements:

• Updates from pdk template 1.17.0 #236 (mcgege)

Fixed bugs:

• Minimize_access to File [/usr/bin] issue #234
• Fix for integration tests (apt-transport-https missing) #237 (mcgege)

Closed issues:

• Conflicts with apache module #231

Merged pull requests:

• patch-cumuluslinux-support #239 (mdklapwijk)
• Update to PDK 1.15 #233 (mcgege)
• Small fix on kitchen.yml #232 (mcgege)

Implemented enhancements:

• If disabled service should also be stopped #226 (mcgege)
• Manage files /etc/anacrontab and crontab equally #225 (mcgege)

Fixed bugs:

• Travis-CI fix (kitchen / faraday broken?) #228 (mcgege)

Closed issues:

• disabled_services should be stopped too #224
• os_hardening::minimize_access should treat anacrontab the same as crontab #223

Merged pull requests:

• CentOS 8 support #229 (mcgege)
• Updates from pdk template 1.13.0 #227 (mcgege)
• Updates from pdk template 1.12.0 #221 (mcgege)

Implemented enhancements:

• Proxy support / SUSE fixes #217 (mcgege)
• Updates from pdk template 1.11.1 #215 (mcgege)
• Metadata / Travis fixes #211 (mcgege)
• CIS: Fix permissions on home cron and log dirs #203 (PenguinFreeDom)

Fixed bugs:

• Approve stdlib v6 + resolve librarian-puppet problem #213

Closed issues:

• Error: no implicit conversion of Integer into String #199

Merged pull requests:

• allow puppet-stdlib v6 #219 (mcgege)
• OpenSUSE 42.3 docker image correction #214 (mcgege)

Fixed bugs:

• Augeas sysctl needs explicit string value #207 (mcgege)

Merged pull requests:

• Kitchen fix #206 (mcgege)
• Some applications require different setting for icmp_ratelimit #204 (tuxmea)

Implemented enhancements:

• Adjust .travis.yml to PDK template #197 (mcgege)

Fixed bugs:

• Add dirs to exclude to .pdkignore #196 (mcgege)

Implemented enhancements:

• Integration tests with DigitalOcean (see #180) #194 (mcgege)
• Update to PDK 1.9.1 #191 (mcgege)
• Update to PDK 1.9.0 #190 (mcgege)

Merged pull requests:

• Update to PDK 1.10.0 #193 (mcgege)

Implemented enhancements:

• Readme updates #188 (mcgege)
• Replace sysctl module #183 (mcgege)
• Add version tag on puppetforge #182 (mcgege)

Fixed bugs:

• Wrong permission on module files #175
• Add missing dependency #184 (theosotr)

Merged pull requests:

• Replace Gitter with mailing lists #185 (mcgege)

Merged pull requests:

• Bugfix script to change file + dir permissions for Puppet Forge build #176 (mcgege)

Implemented enhancements:

• Test / Update for Puppet 6 #156
• Update test mechanisms #169 (mcgege)
• New option rpfilter_loose to enable loose mode (rp_filter = 2) #163 (mcgege)

Fixed bugs:

• Rhel 7 won't boot on physical server #165

Closed issues:

• Wrong permission on git project files ? #164
• module on the forge is not in sync with version of github #160
• Fix broken tests in Travis CI #123

Merged pull requests:

• Also works with current puppetlabs/stdlib (5.1.0 tested) #168 (mcgege)
• Do not disable vfat. Fixes #165. #166 (timstoop)
• Add support for Ubuntu 18.04 and SLES 15 in metadata.json #162 (mcgege)

Implemented enhancements:

• Support os umask #152 (hdep)
• Easy add and remove packages, disable services #138 (timstoop)

Closed issues:

• user resource conflict with puppetlabs/apache: Duplicate declaration: User[www-data] is already declared #157
• Missing comments in managed file : file managed by puppet #146
• Missing requirements in readme file #145

Merged pull requests:

• Update issue templates #158 (rndmh3ro)
• rework README #155 (mcgege)
• Create license file #154 (mcgege)
• Create license file #153 (mcgege)
• Add 'MANAGED BY PUPPET' header #150 (hdep)
• Fix missing Requirements in Readme #149 (hdep)
• Add OpenSUSE 15 to the supported distributions #148 (mcgege)

Implemented enhancements:

• Deploy GRUB hardening #137 (timstoop)
• Only allow root and members of group wheel to use su #134 (timstoop)
• Fix permissions on /etc/gshadow, based on CIS DIL Benchmark 6.1.5. #133 (timstoop)

Merged pull requests:

• Add stricter file permissions + PE fix #136 (mcgege)

Implemented enhancements:

• Convert module into "standardized PDK module" #107
• Adding new param to specify maildir path. Updated nologin path for Re… #127 (hundredacres)
• converted module to pdk #107 #120 (enemarke)

Closed issues:

• net.ipv4.tcp_rfc1337 not a valid sysctl key #124

Merged pull requests:

• Add password_warn_age parameter for login.defs #128 (claw-real)
• CI: switch testing to DigitalOcean #126 (artem-sidorenko)
• Refactoring and new spec test #121 (enemarke)